MOBILE DEVICE SECURITY

MOBILE DEVICE SECURITY

Time to Move into High Gear!

Karen McDowell, Ph.D., GCIH Information Security, Policy, and Records Office University of Virginia

Varieties of Devices at Risk

ƒ

Laptops and Netbooks

ƒ

External storage devices like USB drives

ƒ

Smart phones

à BlackBerry (RIM Operating System)

à Windows Mobile Operating System

à Palm Operating System (WebOS)

à iPhones / iPod touch

à Android System

à Symbian System

Focus on Smart Phones

Smart Phone Growth

ƒ

Total smart phone sales grew by 8

million units in Q209

ƒ

Four things driving growth –

à

Increasing amount of time we spend

online whether business or pleasure

à

Convenience and efficiency

à

Instant gratification - hard to wait to

check messages or update status

à

Desire to look good while going online

2_{<cnet.com> March 2008 Tom Krazit}

4

Smart Phone Security 2009

ƒ Proliferation of mobile devices with powerful

computing resources

ƒ No massive malware outbreak to date = no

panic about security

ƒ Little incentive for hackers to develop

malware because limited vectors to scam

à Texting, premium rate numbers, vishing

ƒ Encryption and protection options not well

known

Users Oblivious to Threats

ƒ

Mistaken sense smart phones immune

to security threats

ƒ

“Smartphone owners remain oblivious

to security risks despite using their

handhelds for a growing range of

applications that introduce potential

problems, such as web surfing”

ƒ

Concomitantly we are witnessing an

explosive growth in social networking

6

Smart Phone Security 2010

ƒ Smart phones especially difficult to protect

ƒ Many types of smart phones & BYOphone =

Less IT control

ƒ Smart phones let us surf the Internet, shop

and bank online

ƒ We are socially and technically conditioned to

enter data from a smart phone

ƒ Fertile market for malware vendors to attack

Smart Phone Architecture

ƒ

Early versions had default-deny security

model with no running extraneous services

ƒ

Every feature added from ground up

ƒ

Portability and customer convenience are

now design goals

ƒ

Code base has

à

many communications services

data handling hooks

ƒ

Security model is currently default-allow

Smart Phone Security Caveats

ƒ

Good security is built-in, not added on

Phone and application developers must

build-in security, while this technology is

relatively new

o Developers must ensure unused code is

removed or disabled where appropriate

Early Warnings

ƒ

“The smartphone will become a major

security target… Personally I think this

will become an epiphany to malware

authors.”

ƒ

“At this point, mobile device capability

is far ahead of security… We’ll start to

see the botnet problem infiltrate the

mobile world in 2009.”

10

1_{Rich Cannings Google’s Android Security Team <independent.co.uk> 10/2009}

2_{Patrick Traynor School of Computer Science Georgia Tech Information Security Center}

Security Policies Essential

ƒ

Policies are a necessity - not a luxury

à Auditing and Authentication

à Centralized security management

à Data loss prevention

à Encryption

à Unauthorized access

à User training

Corporate Smart Phone Policy

ƒ Corporate policy must strictly enforce remote

delete, password, and encryption policies

ƒ Passcode-lock enhances auto-lock

ƒ Exceeding the number of allowed password

attempts deletes all data

ƒ Enable at least 4 digits – depends upon IT

policies

ƒ Configure pre-set time period to less than one hour

Non-Business Smart Phone Use

ƒ Non-business users can rely on features

common to most smart phones

à User sets auto-lock to lock the screen after

a pre-set time period of non-use

ƒ Connect only to WPA-secured Wi-Fi networks

in any case!

Secure a BlackBerry (BES)

ƒ If you connect to the BlackBerry Enterprise Server

(BES) on a corporate intranet, ask the BlackBerry server admin to enforce these options and test them

à Password or passcode (PIN) protection

à Remote Delete

à Encryption

ƒ If you connect to the BlackBerry Internet Service

(BIS), use POP3s over SSL to increase security from the BIS server back to your mail server.

à The data is secure from your device back to the BIS

servers, because it uses SSL over a secure network

Secure Windows Smart Phone

ƒ If you connect to a Windows Exchange Server on

a corporate intranet, ask the IT folks to enforce the password protection, remote delete, and encryption options, and test them

à Remote Delete through Outlook Web Access à Encryption may only be possible if you use a

removable flash storage card, even if you connect to an Exchange server

ƒ If you are a non-business user, encrypt with

removable flash memory storage card

ƒ Antivirus protection is available from third-parties. ƒ Remote delete is available as long as GPS installed

Secure an iPhone

ƒ The Erase Data function lets you completely

wipe your iPhone after 10 failed passcode attempts

ƒ Enable the iPhone “Ask to Join Networks”

function

ƒ Non-business users

à Use POP3s over SSL to increase security

à Center for Internet Security (CIS) released free

guidelines to help organizations develop custom policies related to iPhone use

Secure a Palm Pre (WebOS)

ƒ Original PalmOS does not allow for encryption or timed auto-lock

ƒ New Palm webOS enables these features ƒ Both operating systems can connect to an

Exchange server through ActiveSync

à Remote Delete is available through Outlook Web

Access

à Encryption may only be possible if you use a

removable flash storage card and a third-party provider

ƒ Non-business users

--à Use POP3s over SSL to increase security

Palm Pre Phones Home!

ƒ

Palm Pre webOS sends back to Palm

Your location via GPS

à

Which webOS apps you use

à

How long you use them

ƒ

Location data for LBS (location based

services) apps like Google Maps are OK

ƒ

Palm response is turn it off, but no one

knows how to do it

18

Bluetooth Threat Vectors

ƒ Bluejacking - sending unsolicited messages

over Bluetooth (BT) to BT-enabled devices

à Limited range, usually around 33 ft on mobile phones

ƒ Laptops can reach up to 328 ft with powerful

transmitter

ƒ Bluesnarfing - unauthorized access of

information from a wireless device through a BT connection

à Allows access to a calendar, contact list, emails and text messages, and on some phones users can copy pictures and private videos

à Possible on any BT-enabled device

à Either can do serious harm - Bluesnarfing copies info from victim’s device and is more dangerous

Lock Down Bluetooth!

ƒ

Bluetooth is default-on

Wastes your battery

à

Leaves you open to Bluetooth-based

attacks

Twitter on Smart Phones

ƒ Two Security Issues

ƒ Link shorteners like TinyURL lead users to

unknown destinations

ƒ Single login system

ƒ Phishers use Twitter in attack May 20091

ƒ Bogus accounts of “hot” women

ƒ Tiny URLs obfuscated real sites

ƒ Clicking on Twitter-delivered video installs rogue antivirus, which demands payment2

21

<1_{gadgetwise.blogs.nytimes.com> 5/2009}

Viruses and Smart Phones

ƒ Viral Epidemics – highly fragmented smart phone market share has inhibited outbreaks ƒ Only smart phones susceptible to viruses

ƒ Once a single mobile operating system market share grows large enough…

ƒ Smart phone annual growth rate = 150%

à Bluetooth virus (short range)

à Multimedia Messaging System (MMS) virus

spreads using the device address book

National Science Foundation <nsf.gov> 5/21/2009

Social Engineering Threats

ƒ The best security in the world will not help you if

--à you click on an phishing email and give your personal information

à you respond to a vishing phone call ƒ Never give information via email or by

phone or on the web, unless you initiate the exchange, and then only if you employ best security practices

Threats to Smart Phones 2009

ƒ Attackers will exploit our social conditioning

entering personally identifiable information (PI), while interacting with phone voice

response to commit vishing and identity theft.1

ƒ We demand more and better availability from

phone service than we would from an ISP, “so the threat of a DoS attack might compel

carriers to pay out on a blackmail scam.”1

Broader Issues

ƒ

Sensitive data storage on smart phones

ƒ

Users still clicking on phishing email

ƒ

RIM BlackBerry phishing hole fixed - if

you download the patch

ƒ

Transferring files from a computer

ƒ

China’s 3G revolution may drive threats

ƒ

Malware threat from spoofed cell phone

texts sent to GSM networks

25

Mobile Security Basics

1. Install anti-virus and at least 2 anti-malware

2. Encrypt, especially if you handle sensitive data

3. Turn on firewall [speed bump to attackers yet it’s

layered security]

4. Install covert data deletion software

5. Create long password Best >15 characters [First line of defense – strength in length]

6. Secure devices physically with physical locks

7. Encrypt all USB drives*

8. Connect NOT to insecure wireless hotspots!

Mobile Devices & Best Practices

ƒ

Maintain situational awareness when

carrying electronic devices

ƒ

Do not make mobile device obvious target

à Disguise your laptop by carrying it in a

non-laptop bag

à Hide it in the trunk if you must store it in a

vehicle but do not let anyone see you hide it

à Never carry more information in your

mobile device than you absolutely need

Best Practices II

ƒ Backup data frequently to mitigate data loss in a worst-case scenario

ƒ Carry your laptop on board flights

à Store under the seat in front of you

ƒ Watch your mobile device as you go

through airport security

à Known bad location for device theft

ƒ Do not use insecure wireless hotspots

à Save important transmissions until you can

connect to a secure environment

Mobile Device Data Losses

Mobile Device Data Losses

ƒ Mobile device theft occurs every 12 seconds

ƒ Theft or loss of a computer or other

data-storage devices accounted for 48 percent of data breaches that could lead to identity theft and for 66 percent of the identities exposed in

20081

ƒ 196 data breaches involving personally

identifiable information (PI) publicly reported

in 2009 affecting 3,943,522 records2

ƒ Costs already calculated in millions of dollars,

to say nothing of collateral damage

1 _{Symantec Global Internet Security Threat Report Trends for 2008 Volume XIV, April 2009}

2 _{Open Security Foundation <datalossdb.org>}

Cost of a Security Breach

ƒ

$202 USD per stolen database record

Forensics cost

à

IT staff not productive because of breach

Legal and compliance fees

à

Loss of customers – Disastrous PR

à

Attackers may extort millions of dollars

Nothing good about it

à

10,000 sensitive database records =

$2M breach

Mobility = Higher Risk Agility

Mobility = Higher Risk Agility

ƒ Business travelers lose more than 12,000

laptops per week in U.S. airports1

ƒ One in 10 people have lost a laptop, smart

phone, or USB flash drive with stored corporate information

ƒ 79% frequently or sometimes leave their

workplace with a mobile device such as a laptop, smart phone, or USB flash drive

containing sensitive information2

1 _{<aviationweek.com> July 3, 2008}

2 _{RSA, Security Division of EMC, Insider Threat 2008}

Survey <rsa.com>

Avoid Maginot Line Security

ƒ Think “Layered Security” or “Defense in Depth”

ƒ Attackers penetrate our computers daily ƒ Smart phones are unusually vulnerable

ƒ We can and must make it difficult for them ƒ “Systemic, cascading risk…” given any user

who does not follow best practices

ƒ We all have a responsibility to employ proactively, not reactively, best security practices

Tom Kellermann <kcrw.com/people/kellermann_tom?role=guest> 5/29/2009